What’s the GDPR?

New rights for consumers, new obligations for businesses: European data protection law will receive a massive update. In this article, five HIIG researchers answered questions on the General Data Protection Regulation (GDPR) – and what’s beyond. 

1 | GDPR – what’s behind it?

Data protection – a topic that previously seemed of interest only to data protection officers. A few weeks before its entry into force on 25 May 2018, the GDPR is a key issue at national, European and international level, as it affects both the public and private sectors and brings with it many changes in the processing of personal data.

The right to the protection of personal data is enshrined in Article 8 of the Charter of Fundamental Rights of the European Union. However, the EU has not waited for the Charter of Fundamental Rights to protect personal data. In order to facilitate the flow of information in the internal market while protecting citizens’ data, the European Parliament and the Council adopted Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data on 24 October 1995. In order to strengthen this right and set a standard at EU level, the GDPR proposed as a regulation. It is noteworthy that this is not a directive that the individual Member States could have interpreted for themselves with an implementation law. Instead, the EU legislator has chosen the regulation, which has a direct effect.

The standard in Germany was already high by the Federal Data Protection Act (BDSG), although the protection on constitutional level was not anchored per se: the Basic Law does not regulate the protection of personal data explicitly. This fundamental right to “informational self-determination” was established by the case-law of the Federal Constitutional Court in Article 2.1 of the Grundgesetz (German Constitution) on the basis of the general right of personality under Articles 1 and 2. It protects (among other things) the freedom of the individual to decide when and to what extent personal data is passed on. The monetary value of this data is irrelevant, but it must be linked to a specific person, regardless of whether it is a private or a legal entity.

An important change in the data protection is that the territorial scope of the GDPR has broadened compared to the BDSG: The regulation is already applicable if the data processing is related to the offer of goods or services to the persons concerned within the EU, or if the behaviour of the activities of the affected persons take place in the EU (Art. 3 DSGVO). In this case it is irrelevant whether data processing takes place in the EU. In view of the global digital economy, this is a consistent protection mechanism that obliges economic actors to take the rights of European consumers with regard to their personal data seriously. The GDPR could also develop a model function for other states to harmonise their data protection policies.

Amélie Heldt

2 | The four main innovations of the EU’s General Data Protection Regulation

The GDPR will become applicable on 25 May with a double promise: not only to provide better protection for those affected by automatic data processing, but also to provide a competitive advantage for data controllers. But what does this advantage look like?

The GDPR replaces the current EU data protection directive and the national data protection laws based on it and adapts the provisions contained therein to the challenges of the digital age. As an ordinance, unlike the directive, it is directly applicable in all EU member states. From the economic perspective, the GDPR is often criticised as a major hurdle, in particular because it would not bring with it any regulatory innovations that would be suitable for overcoming the challenges.

These challenges lie in the high innovation dynamics in data-driven markets, which can be summarized with the following question: How can the legislator protect against the risks of innovations which, by definition, it does not even know? The GDPR is said not to take a new regulatory approach that could deal with this challenge, but to continue the same (classical) approach from the old directive: old wine in new wineskins. On closer inspection, however, the GDPR does provide legislative innovations which can represent a competitive advantage, especially for European companies processing personal data.

The marketplace principle: Common Level Playing Field for European and non-European companies

Before the GDPR became applicable, complaints were filed by European-based data processing companies that suffered a competitive disadvantage vis-à-vis non-European companies: foreign companies were not required to comply with the strict data protection laws of the EU. The market place principle – one of the most important innovations of the GDPR – now creates a “Common Level Playing Field” for all companies. This means that the GDPR applies to everyone, regardless of whether personal data is processed inside or outside the EU. The applicability of the Regulation no longer depends exclusively on the registered office of the companies in the EU. Rather, the Regulation also applies to companies established outside the EU but whose data processing is related to goods or services offered in the EU (or processing results in the observation of human behaviour taking place in the EU).

The risk-based approach: between effective risk protection and openness to innovation

The fact that the GDPR applies equally to all data processing companies does not, of course, say anything about whether it unnecessarily hinders data-driven innovations – for which there is undoubtedly a social need. In this context, the so-called risk-based approach is one of the most important innovations of the GDPR. The risk-based approach means that the general principles that apply in principle to any processing of personal data must be applied according to the specific risk in the respective processing context.

The processing principles – such as the principles of lawfulness of processing, transparency, data minimisation and purpose limitation – are therefore not always applicable in the same way. Rather, it depends on the respective risk whether and above all how these principles are to be implemented. In the case of a very high risk, the principles must be applied more strictly than if data processing involves only a low risk.

The GDPR thus does not represent the same regulatory burden for every data processing. This burden is higher for high-risk processing and lower for low-risk processing. This gives the data controller considerable scope as to how it wishes to structure its data processing, the risk it causes for the data subjects – and, ultimately, how high the regulatory requirements for its data processing are. Thus, the data controller can essentially design its data-driven innovation processes itself. With the risk-based approach, the legislator has thus basically created a law that is open to innovation.

Instruments of co-regulation: Innovation-promoting effects of codes of conduct and certificates

However, the risk-based approach is accompanied by considerable legal uncertainty. Because even if a data controller tries to implement the data protection principles as best as possible in view of the respective risk, it does not know whether it meets the expectations of the responsible data protection authority with this concrete implementation. However, the legislator has also recognised this problem and has therefore established so-called “co-regulation” procedures in the regulation. Through these procedures, the data controller is in a position to specify the implementation of the principles together with the competent data protection authority.

Such procedures are provided for in the GDPR primarily in the form of certification mechanisms and codes of conduct. Data controllers can use certification mechanisms to specify the data protection principles for individual processes – or for data-driven products or services that are based on specific processing processes. Such a certificate must first be approved by the data protection authority. Once a data controller has standardized its concrete implementation of the data protection principles for its processes or products in the form of such a certificate, it can generally rely on its data processing being regarded by the data protection authority as compatible with the GDPR.

The same applies to behavior guidelines. Data controllers in a specific sector – for example, in the automotive, insurance or advertising industries – can adopt a common “Code of Conduct”. Anyone who adheres to such a Code of Conduct, which has been approved by a data protection authority, can generally assume that their data processing is compatible with the GDPR. As a result, both companies and consumers benefit from increased legal certainty. This effect should not be underestimated: Scientific studies indicate that such a relief has innovation-promoting effects. These include the signal effect that data protection certificates and codes of conduct can have on consumers, business customers and investors.

From carrot to stick: The increased threats of fines

Not all actors are attracted by the prospect of increased legal certainty. Some companies may well conclude that compliance with data protection regulations – especially in the case of high risk – is simply not economically worthwhile for them (for example because the effort to reduce these high risks would be too costly). In this case, the legislator also has an innovation ready in the form of considerably higher fines for data protection violations: The fines also depend on the turnover of the company in breach of the law. Violations of certain data protection regulations can result in a payment of up to 4% of annual global turnover. These massively increased threats of fines ultimately create a competitive advantage for companies that strive for the proper implementation of data protection regulations.

In order for these four innovations to actually lead to the much-vaunted competitive advantage of the GDPR, however, all parties involved must understand this regulatory concept and use it to their advantage. First of all, the data protection authorities and courts must interpret the GDPR in the sense described here. Data controllers must use the regulatory approach as a business opportunity. Only if they see compliance with the GDPR as a competitive advantage and position themselves accordingly in the market can the innovation-promoting effects occur. Ultimately, it also depends on business customers and consumers of data-driven products and services whether the competitive advantage is realized. Only if they regard compliance with the GDPR as a quality feature and reward it through their purchasing decisions can the cycle of supply and demand close with regard to data protection-friendly products and the innovative regulatory approach develop its full dynamism in the market.

Max von Grafenstein

3 | What exactly does the DSGVO do with regard to algorithmic decisions – and what not?

For a recent report by the Bertelsmann Foundation, me and Stephan Dreyer from the Hans Bredow Institute investigated whether the individual rights to use their own data for fully automated ADM systems (algorithmic decision making, in short: ADM), which become effective with the implementation of the GDPR, can also remedy systematic shortcomings or discrimination against entire groups of people. These systems work without human intervention and therefore fall under the regulation of the DSGVO, according to which in future automated decisions – if they are permissible at all – must be explained how they came about: Article 15 Paragraph 1 GDPR states that individuals affected by automated decisions have a right to “meaningful information about the logic involved”.

However, the GDPR primarily regulates the protection of individuals; the new data protection regulation is blind to incorrect assessment or systematic discrimination against larger groups through automated decisions. In order to uncover the discrimination of certain groups through algorithmic decision-making procedures, the classic rights of the individual to information and defence are not sufficient: The mere fact that the individual is informed of how the automated decision was made does not change anything for discriminated groups. Since the GDPR in no way demands that business secrets be ruined by transparency obligations, we cannot currently expect full disclosure of mathematical-statistical procedures – such as the Schufa Score – even if companies have to explain more than before.

If algorithmised decision-making procedures decide whether to grant a loan or fill a position, things are not necessarily fairer. The new GDPR falls far too short in cases of discrimination through algorithms and artificial intelligence.

Wolfgang Schulz

4 | Is the Facebook data scandal justified? Can the GDPR counteract this?

No, the scandal is not justified. Facebook has only done what it has been given permission to do. That they have not read the various statements, such as the data policy, the privacy policy or the community guidelines of the social media platform before they have consented to Facebook’s data processing, is certainly a problem – but not one for which Facebook is responsible. The same users have not read the GDPR either. If one follows the public debate at present – for example on the so-called data scandal of the German Post – then it becomes apparent that the vast majority of people have expectations of the GDPR that it does not fulfil. And which it also does not want to fulfil, as the European legislator has written in detail both in the legislative text and in the recitals.

For example, the public is constantly given the impression – and this is also explicitly given by the data protection supervisory authorities – that data processing is only permissible with consent. However, the GDPR says otherwise: Article 6(1)(f) permits data processing if it is “necessary to safeguard the legitimate interests of the person responsible or a third party”. Recital 47 states: “The processing of personal data for direct marketing purposes may be regarded as processing in a legitimate interest.

Read more about the facebook data scandal here (English).

The GDPR will not be able to counteract the “data scandal” insofar as the scandalisation follows its own rules, which need not necessarily have anything to do with the legal situation. With regard to the use of data for election campaigns, reference is made here to § 50 paragraph 1 of the Federal Notification Act, according to which notification data are issued to “parties, voter groups and other bodies responsible for election proposals”. And in connection with the accusation of voter manipulation, reference is made here to the former federal chairman of the SPD: “I stand by it: It is not fair that we are often measured by election campaign statements.

Jörg Pohle

5 | Does Trump’s CLOUD Act render the GDPR ineffective?

What is new is that US investigative authorities can now access data stored abroad, irrespective of regulations under foreign law, insofar as they are managed and processed by US companies. This will extend the powers of US authorities for the first time and simplify access to data. The 18 U.S.C. § 2713 required providers and cloud providers to publish content “regardless of whether the communication, recording or other information is inside or outside the US”. However, service providers have the possibility to object to official orders within 14 days if the publication contradicted foreign law. However, judicial control – i.e. possibly the amendment or repeal of an official order – only occurs in the event of a legal conflict with so-called “qualified countries”. These, in turn, are countries that have signed a data protection agreement with the USA. The court then weighs up the assets and examines the investigative interest, the interests of the qualified country and the probability or extent of the offence abroad.

In Europe, the GDPR will apply from 25 May 2018. It brings the various data protection regulations of the EU member states into line with a uniform level of protection. In particular, Articles 44 of the GDPR is interesting. It regulates data transmission to third countries and thus tries to ensure that the guaranteed level of protection cannot simply be undermined by data export. The EU Commission must comply with the effective monitoring of compliance with data protection rules by independent supervisory authorities and obligations under international conventions, taking into account case law, the rule of law, human rights and fundamental freedoms.

Officially, the CLOUD Act aims to simplify cross-border investigations. This is often hampered by the laws of other countries. And since the GDPR also regulates matters relating to foreign countries, conflicts with the CLOUD Act may well arise. The agreement aims at concluding a privacy and data exchange agreement with the USA, which in turn grants the authorities a restriction of access and the possibility of control in the US. Only then is foreign law (here the GDPR) taken into account by the CLOUD ACT in the first place. Even if the EU signed an agreement to this effect and became a qualified “country”, it would still be questionable whether the procedure would meet the high requirements of the GDPR.

Kevin Klug

Title image: Flickr, Convert GDPR, CC BY 2.0